🛡️ Sentinel: [CRITICAL] Fix SQL injection in sqliteColumnExists

[mattjoyce]

🚨 Severity: CRITICAL
💡 Vulnerability: A SQL injection vulnerability existed in internal/storage/sqlite.go where fmt.Sprintf was used to insert an unvalidated table name directly into a PRAGMA table_info SQL string.
🎯 Impact: If sqliteColumnExists was ever called with an untrusted table argument, an attacker could inject arbitrary SQL queries.
🔧 Fix: Switched from using a direct PRAGMA statement to using SQLite's table-valued function pragma_table_info(?), which properly supports standard parameter binding (?) and entirely eliminates the injection vector. The column names were explicitly mapped to preserve compatibility. Added a critical entry to the .jules/sentinel.md journal.
✅ Verification: Ran go test -v ./internal/storage/... successfully, confirming no regressions in SQLite database operations or schema validations.

---

PR created automatically by Jules for task 1210334762389177713 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes
  • Fixed a critical security vulnerability in database query handling to prevent potential injection attacks.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	ductile	6c9caaf	Commit Preview URL Branch Preview URL	May 27 2026, 11:56 AM

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 2db76ef2-591d-48fd-a596-79f89574000f

📥 Commits

Reviewing files that changed from the base of the PR and between 1ed7ef3 and 6c9caaf.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/storage/sqlite.go

---

📝 Walkthrough

Walkthrough

This PR fixes a SQL injection vulnerability in the sqliteColumnExists function by replacing string interpolation with a parameterized SQL call using SQLite's pragma_table_info(?) function. A sentinel security note documents the issue, root cause, and prevention approach.

Changes

SQL Injection Prevention

Layer / File(s)	Summary
SQL injection mitigation in sqliteColumnExists internal/storage/sqlite.go, .jules/sentinel.md	sqliteColumnExists now queries column metadata via parameterized pragma_table_info(?) instead of string-interpolated PRAGMA table_info(%s). Security comments clarify the injection prevention intent. A sentinel entry documents the vulnerability, SQLite PRAGMA parameterization limitations, and the mitigation strategy.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A table name slipped through unguarded gates,
But now it binds where safety waits,
pragma_table_info holds its ground,
With quotes for fields, no SQL wound.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: fixing a critical SQL injection vulnerability in sqliteColumnExists, which is the primary focus of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-sql-injection-1210334762389177713

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}